Nov 2, 2021
0 0

Beware- FontOnLake Rootkit Malware Attacking Linux Systems

Written by

Tags, , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Researchers at Slovak cybersecurity company ESET have identified a new malware family utilizing custom and well-designed modules. In ESET’s white paper [PDF], researchers revealed that the malware dubbed FontOnLake Rootkit malware targets Linux systems and its modules are under active development.
The malware samples uploaded to VirusTotal indicate that the first intrusion through this previously unidentified threat happened in May 2020. TencentLacework Labs, and Avast are also tracking this malware using the moniker HCRootkit. 
We have found a new #Linux #malware leveraging an open source kernel-mode rootkit #Suterusu and we dubbed it #HCRootkit. 1/7
— Avast Threat Labs (@AvastThreatLabs) August 25, 2021

Researchers noted in their report that FontOnLake has a “sneaky nature,” “advanced design,” and “low prevalence.” Therefore, it is easier to use this malware in targeted attacks.
According to ESET researcher Vladislav Hrčka, it allows remote access to the attackers, can serve as a proxy server, and steal credentials. This malware family uses “modified legitimate binaries” to collect data, and these binaries have been adjusted to load more components.
Moreover, to stay undetected, the malware uses a rootkit. These binaries are used on Linux systems but “can additionally serve as a persistence mechanism,” Hrčka wrote in a blog post.

The information about its C&C server’s location and the countries where the samples were uploaded indicates that the campaign targets users in Southeast Asia.
ESET researchers further stated that they have discovered two versions of the Linux rootkit based on the Suterusu open source project and perform similar functions such as:
“We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco, or Protobuf. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing – which indicates that they could have been disabled due to the upload,” researchers explained.
Interaction of FontOnLake’s components
As shown in the screenshot above; FontOnLake malware’s known components are divided into three groups: Trojanized applications are the modified legitimate binaries adjusted to conduct a range of malicious activities.

The second component is user-mode backdoors that serve as the main communication point for the malware operators. Thirdly, it has Rootkits, which are kernel-mode components used to provide fallback backdoors and assist with updates.
“Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns,” Hrčka wrote, adding that most of the features are designed to hide FontOnLake’s presence, offer backdoor access, and relay communication, researchers concluded.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.